Due to ktpass tool version problem leads to in AD domain server create spn account failed

Publication Date: 2012-11-14Views: 545Downloads: 0

Issue Description

A site installed secospace platform, before associating LDAP authentication with the customer AD domain server, need to configure SPN account. From the Microsoft website download the ktpass.exe tool as generation tool, according to the operation instruction generated bat processing documents. When executing operation in the AD domain server, found the created SPN account is error.

Alarm Information

None.

Handling Process

1, modify the suffix of bat batch process sentences to capital letters, the second alarm still exists;
2, in AD domain server search the associated user name secoadmin, found that the user's attribute is normal;
3, through in the laboratory authenticate the ktpass.exe tool, found that the file exists many versions, confirm that the tool in win2003 serversp2 CD can correctly generate SPN account. The former used ktpass.exe which is downloaded from Microsoft's website belongs to win 2003 server sp1version, it has bug.

Root Cause

Analysis the two alarms, one of the alarm said domain suffix size need to be differentiated, must use capital letters. The other alarm said it cannot find user information. The hint "Successfully mapped seco/SPN to secoadmin" does not mean it has created successfully.

Suggestions

In subsequent deploying secospace site, pay attention to the choice of ktpass tools (suggest using win2003 server; if the operating system is upgraded from the win 2000 server to
Win 2003 server sp, use the Windows 20000 Resourcekit tool set.